All Apps and Add-ons

Splunk Add-on for Microsoft Cloud Services: Where to install when using search head cluster and universal forwarder?

robdanl
Explorer

The Splunk Add-on for Microsoft Cloud Services documentation at http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install seems to be stating that you must configure the input on the search head if you are using a Universal Forwarder. Underneath, however, it says if installing on a search head cluster you should configure the input to be on the forwarder.

What are you supposed to do when you are using a search head cluster but the (unsupported) Universal Forwarder?

0 Karma

Bloodnite
Path Finder

Once you configure the API items for 0365 piece, it prompts for the o365 admin to login to grant the splunk app access it needs... it then auto-populates the tenant ID automatically after the token/authentication pieces go through.

0 Karma

adonio
Ultra Champion

it is recommended to use a Heavy Forwarder as this app uses modular inputs

0 Karma

robdanl
Explorer

I use a universal forwarder and I'm looking for recommendations that don't involve "don't use the universal forwarder" 🙂

It's an existing architecture I really don't want to change to get an add-on installed.

0 Karma

adonio
Ultra Champion

well then 🙂
here is a solution (i hope), you can install python on the forwarder and configure the modular inputs manually. some answers around it here:
https://answers.splunk.com/answers/150106/can-we-run-the-kafka-modular-input-on-a-forwarder.html
https://answers.splunk.com/answers/96184/python-script-with-universal-forwarder.html
disclaimer: never tested it so i am not sure it will work.
you can also try to set it up on your deployer (not on the SHC members) and then copy the inputs.conf
or copy the entire configured app to the UF and see how it works. you will probably need to reconfigure the redirect-url value
hope it helps

0 Karma

ddrillic
Ultra Champion

Based on the Where to install this add-on section, it seems that it's required only on the Search Heads.

0 Karma

robdanl
Explorer

I saw that as well. My concern (and correct me if you feel otherwise), is that if I have a search head cluster that installing this would result in the inputs being on every search head in the cluster - and then duplicate data being sent to the indexer.

This is due to the part that states "configure inputs on forwarders to avoid duplicate data collection" under "Search Head Clusters" comments.

0 Karma

ddrillic
Ultra Champion

Ok, so it says for the Search Heads -

-- *Install this add-on to all search heads where Microsoft cloud services knowledge management is required. Splunk recommends that you turn visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node. *

So, I guess, the documentation says to install the add-on on the search heads and turn visibility off. You see, I don't know where the data comes from... ; -)

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...